From 857eaf37225f30609fef43222ba4db4ad88847e6 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Mon, 26 Mar 2018 15:53:49 +0100
Subject: [PATCH] Cutthrough: enforce non-use in combination with DKIM signing
 or transport filter

Broken-by: 02b41d7106
---
 doc/doc-txt/ChangeLog |  4 ++++
 src/src/verify.c      | 14 ++++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 8e9ef4283..525f47b31 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -178,6 +178,10 @@ JH/33 SPF: remove support for the "spf" ACL condition outcome values "err_temp"
       and "err_perm", deprecated since 4.83 when the RFC-defined words
       "temperror" and "permerror" were introduced.
 
+JH/34 Re-introduce enforcement of no cutthrough delivery on transports having
+      transport-filters or DKIM-signing.  The restriction was lost in the
+      consolidation of verify-callout and delivery SMTP handling.
+
 
 Exim version 4.90
 -----------------
diff --git a/src/src/verify.c b/src/src/verify.c
index 9582fe5b7..1df856604 100644
--- a/src/src/verify.c
+++ b/src/src/verify.c
@@ -1026,6 +1026,20 @@ no_conn:
     here is where we want to leave the conn open.  Ditto for a lazy-close
     verify. */
 
+    if (cutthrough.delivery)
+      {
+      if (addr->transport->filter_command)
+        {
+        cutthrough.delivery= FALSE;
+        HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of transport filter\n");
+        }
+      if (ob->dkim.dkim_domain)
+        {
+        cutthrough.delivery= FALSE;
+        HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of DKIM signing\n");
+        }
+      }
+
     if (  (cutthrough.delivery || options & vopt_callout_hold)
        && rcpt_count == 1
        && done
-- 
2.30.2